Solved: Re: Connecting Cisco Home Lab to the Internet

LeeSteventon · ‎01-23-2019

Hi All,

I'm looking for guidance / advice on connecting a homelab to my existing home internet connection. I've tried to set this up but I am not able to ping the gateway of last resort (the LAN side of my ISP Router Modem) from any device on my network, but I can ping it (and Public IP addresses) from my Cisco Router. My gut feeling is that the issue lies with the ISP Router Modem in that it doesn't know the route back to my VLANs to return traffic (and I cannot change that becuase the ISP has it locked down to prevent "normal user" access)

My setup is as follows (diagram attached):

I have a Thomson SpeedTouch 780 Router Modem (supplied by my ISP). It's public IP address is a static one and the LAN side switch has a fixed IP address of 192.168.1.254 /24. I cannot change this it seems as the ISP has flashed the unit with thier own image and it is locked down to user access only.
A Cisco 2811 router which has:

2 x HWIC-1GE-SFP modules with CAT5 Tranceiver modules fitted

1 module is currently shutdown (Gi0/1/0), the other (Gi0/0/0, which has no IP address at the port level, only sub-interface levels) is configured with multiple sub-interfaces with each sub-interface configured with an IP address. Each IP address is a Default Gateway for the respective VLAN it serves.

1 x CISCO NM-16ESW-PWR-1GIG 16 10/100 1 Gig Port POE Switch - not in use yet but seemed like a good idea at the time!
The 2811 acts as DHCP server for all VLANS and also performs inter-vlan routing
Fa0/0 has an IP address of 192.168.1.200 /24 and is connected directly to the Thomson SpeedTouch via it's LAN Switch

A series of catalyst switches linked together in hub and spoke fashion via EtherChannel trunks
The "hub" switch connects directly to the 2811 on Gi0/0/0 with a trunk, allowing all VLAN's

The 2811 has a static Gateway of Last Resort IP address of the Thomson SpeedTouch’s LAN Switch fixed IP (192.168.1.254). If I SSH into the 2811, I can ping that IP, as well as Public IP’s (8.8.8.8 and so on)

However, If I SSH into any of the switches, not only can I not ping the Thomson SpeedTouch’s LAN Switch fixed IP (192.168.1.254), but also (obviously) no Public IP’s. The same applies to any device on any VLAN.

Any ideas??

Jon Marshall · ‎01-23-2019

You are very probably right that it is because the modem does not know how to route back to your internal subnets and as you can't modify the modem the other way is to NAT all your internal subnets to the 192.168.1.200 IP on your fa0/0 interface which the modem does know how to get to -

int gi0/0.10
ip nat inside

int gi0/0.20
ip nat inside

int gi0/0.30
ip nat inside

int fa0/0
ip nat outside

access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.30.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0 overload

note I have assumed the subnets based on your diagram but you can change to match.

Jon

View solution in original post

Jon Marshall · ‎01-24-2019

The NAT acl is just telling the router which traffic to NAT ie. it is not applied to any interface and does not filter traffic so yes you can create your traffic filtering acls separately and apply them directly to the router interface(s).

Jon

View solution in original post

Jon Marshall · ‎01-23-2019

You are very probably right that it is because the modem does not know how to route back to your internal subnets and as you can't modify the modem the other way is to NAT all your internal subnets to the 192.168.1.200 IP on your fa0/0 interface which the modem does know how to get to -

int gi0/0.10
ip nat inside

int gi0/0.20
ip nat inside

int gi0/0.30
ip nat inside

int fa0/0
ip nat outside

access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.30.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0 overload

note I have assumed the subnets based on your diagram but you can change to match.

Jon

LeeSteventon · ‎01-23-2019

Fabulous Jon, that did the trick! Many thanks!

I had a hunch it was going to have to be a NAT solution in the end.

I guess with this way though, there's no real ACL to prevent attacks in place (I was looking at implementing reflexive ACL's). Would these replace the ACL you suggested above or be implement instead of?

Thanks again!

Jon Marshall · ‎01-23-2019

The acl for the NAT is completely separate from any acls you apply to an interface to filter traffic so you can still use acls for that if you want.

Not sure I have fully understood the question so by all means add some more detail if needed and I will pick this up tomorrow.

Jon

LeeSteventon · ‎01-24-2019

Hi Jon and thanks once again for your time and helpful advice

OK, so if I understand you correctly, I can create a separate acl for firewall / traffic filtering purposes and apply it to the same interface (fa0/0) and the two will work independently from one another?

My intention is to create Named ACL's and use the reflect feature to check that incoming return traffic was first requested from internal networks.

So can I create these NACLs separately or do I need to somehow append the permit statements to the NAT acl?

Many thanks in advance!

Lee

Jon Marshall · ‎01-24-2019

The NAT acl is just telling the router which traffic to NAT ie. it is not applied to any interface and does not filter traffic so yes you can create your traffic filtering acls separately and apply them directly to the router interface(s).

Jon

LeeSteventon · ‎01-24-2019

Fabulous!

Once again, many thanks for your helpful advice and wisdom Jon!

Kind Regards

Lee